Snort mailing list archives
Re: snort does not sent reset in freebsd/ipfw inline mode
From: Rajkumar S <rajkumars () gmail com>
Date: Thu, 20 Jan 2011 21:42:09 +0530
Just an update on this: reset is being sent when I tried with Snort Version 2.8.6.1 (Build 39) inline FreeBSD So this might indicate a bug in 2.9.0.3 raj On Wed, Jan 19, 2011 at 11:30 PM, Rajkumar S <rajkumars () gmail com> wrote:
Hello, I am testing snort 2.9.0.3 with inline under FreeBSD 6.2-RELEASE-p12 and IPFW. Every thing seems working except that no packet gets dropped or reset is being sent. I am using snort Version 2.9.0.3 (Build 98) FreeBSD which is compiled with following options: ./configure --enable-flexresp3 --enable-react --enable-active-response My snort.conf is as follows: var HOME_NET 192.168.3.0/24 portvar HTTP_PORTS [80] config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config checksum_mode: all config pcre_match_limit: 1500 config pcre_match_limit_recursion: 1500 config detection: search-method ac-bnfa max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no, max_active_responses 2, min_response_seconds 5 preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 reject tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Unauthorized Access Prohibited!"; resp:rst_all; sid:1; rev: 1;) The command line I use to start snort is: snort -vQ -c /usr/local/etc/snort/snort.conf -A fast -h 192.168.3.0/24 -s --daq ipfw --daq-var port=8100 --alert-before-pass IPFW rules are: 02000 divert 8100 tcp from any to any dst-port 80 02100 allow ip from any to any 65535 deny ip from any to any When I send a single http get traffic via snort I get the following alerts in alert file 7 times. 01/19-23:13:22.087778 [Drop] [**] [1:1:1] Unauthorized Access Prohibited! [**] [Priority: 0] {TCP} 192.168.3.19:50471 -> xx.135.40.xxx:80 I am able to see packets printed out in snort output when I start snort, ie snort is getting packets from divert socket and if snort is not running packets are not being forwarded. So all packets are being seen and approved by snort. I have posted the full snort output at http://pastebin.com/9F2y4m5k The output start with following lines: Enabling inline operation Running in IDS mode and startup sequence ends with: [ Port Based Pattern Matching Memory ] ipfw DAQ configured to inline. --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.0.3 (Build 98) FreeBSD '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 After pressing Ctrl-C I can also see the following output: Action Stats: Alerts: 7 ( 36.842%) Logged: 7 ( 36.842%) Passed: 0 ( 0.000%) Match Limit: 0 Queue Limit: 0 Log Limit: 0 Event Limit: 0 Verdicts: Allow: 12 ( 63.158%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 7 ( 36.842%) Ignore: 0 ( 0.000%) I get 7 alerts and logs and all of them happen to be Blacklist and not Blocks but the alert logs shows [Drop]. I guess there is some configuration problem in my snort conf or rule which is causing snort not the actually block the traffic. Any help to get this working is much appreciated. with regards, raj
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort does not sent reset in freebsd/ipfw inline mode Rajkumar S (Jan 19)
- Re: snort does not sent reset in freebsd/ipfw inline mode Rajkumar S (Jan 20)
- Re: snort does not sent reset in freebsd/ipfw inline mode Russ Combs (Jan 28)
- Re: snort does not sent reset in freebsd/ipfw inline mode Rajkumar S (Feb 03)
- Re: snort does not sent reset in freebsd/ipfw inline mode Russ Combs (Jan 28)
- Re: snort does not sent reset in freebsd/ipfw inline mode Michael Scheidell (Feb 04)
- Re: snort does not sent reset in freebsd/ipfw inline mode Russ Combs (Feb 07)
- Re: snort does not sent reset in freebsd/ipfw inline mode Rajkumar S (Jan 20)